GUIDELINE 7/2022 REGARDING CERTIFICATION AS A TOOL FOR TRANSFERS
By Mugurel Olariu, RPD protectie date
EDPB, adopted in June, Guideline 7/2022 regarding certification as a tool for transfers. This document is in the public consultation phase until September 30, 2022.
These guidelines provide guidance as to the application of Article 46 (2) (f) of the GDPR on transfers of personal data to third countries or to international organizations on the basis of certification.
In essence, art. 46 of the GDPR provides that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organizations. To that end, the GDPR diversifies the appropriate safeguards that may be used by data exporters under Article 46 for framing transfers to third countries by introducing, among others, certification as a new transfer mechanism (Articles 42 (2) and 46 (2) (f) GDPR).
The guideline contains four sections and an appendix, as follows:
Part one of this document clarifies that the guidelines supplement the already existing general Guidelines 1/2018 on certification and addresses specific requirements from Chapter V of the GDPR when certification is used as a transfer tool.
According to Article 44 of the GDPR, any transfer of personal data to third countries or international organizations, must meet the conditions of the other provisions of the GDPR in addition to complying with Chapter V of the GDPR. Therefore, as a first step, compliance with the general provisions of the GDPR must be ensured and, as a second step, the provisions of Chapter V of the GDPR must be complied with. The actors who are involved and their core roles in this context are described, with a special focus on the role of the data importer who will be granted a certification and of the data exporter who will use it as a tool to frame its transfers (considering that the responsibility for data processing compliance remains with the data exporter). In this context the certification can also include additional measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. Part one of the guidelines also contains information on the process for obtaining a certification to be used as tool for transfers.
The second part of these guidelines recalls that the requirements for accreditation of a certification body are to be found in ISO 17065 and by interpreting the Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the GDPR and its Annex against the background of Chapter V. However, in the context of a transfer, these guidelines further explain some of the accreditation requirements applicable to the certification body.
The third part of these guidelines provides for guidance on the certification criteria already listed in Guidelines 1/2018 and establishes additional specific criteria that should be included in a certification mechanism to be used as a tool for transfers to third countries.
These criteria cover the assessment of the third country legislation, the general obligations of exporters and importers, rules on onward transfers, redress and enforcement, process and actions for situations in which national legislation and practices prevents compliance with commitments taken as part of certification and requests for data access by third country authorities.
Part four of these guidelines provides elements that should be addressed in the binding and enforceable commitments that controllers or processors not subject to the GDPR should take for the purpose of providing appropriate safeguards to data transferred to third countries. These commitments, which may be set out in different instruments including contracts, shall in particular include a warranty that the importer has no reason to believe that the laws and practices in the third country applicable to the processing at stake, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent it from fulfilling its commitments under the certification.
The Appendix of these guidelines contains some examples of supplementary measures in line with those listed in Annex II Recommendations 01/2020 (Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data) in the context of the use of a certification as a tool for transfers.